Re: RPM security (a newbie question)

Rahul Sundaram wrote:
Stanisław T. Findeisen wrote:
Well, it looks that those "review guidelines" cover mostly
administrative/legal issues. It looks that no one cares about the
source code.

You missed that the review guidelines has a source check as well.
Read it in detail.

While the review guidelines do make sure that the source code matches
upstream¹, that doesn't ensure that upstream doesn't have backdoors,
holes, malicious content, etc.

The only solution for that is more eyes loooking over the code that
makes up the OS. What mitigates that is knowing that if upstream has
such code, it may be noticed not only by Fedora, but by any other
distro or user. And that would surely become known rather quickly.

One big advantage that free software has is that anyone is free to
look over the code. The more people that use that freedom, the better
off we'll all be.

¹ https://fedoraproject.org/wiki/Packaging:ReviewGuidelines includes:
MUST: The sources used to build the package must match the upstream
source, as provided in the spec URL.

--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I always keep a supply of stimulant handy in case I see a snake -
which I also keep handy.
-- W. C. Fields

Attachment: pgpAsnyp7RNvV.pgp
Description: PGP signature

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines